NAC Ideas Worth Hearing

So many vendors were shouting about Network Admission Control (NAC) at this year???s Interop that they nearly drowned out the ???ding-ding??? of the slot machines. That means enterprises investigating NAC first have to tune out high levels of marketing B.S., vendor obfuscation and bandwagon-jumping before they hear of anything with actual business value.To help save your eardrums, I???ll point you toward two interesting NAC architectures that emerged from the noise at Interop: peer-based enforcement and SSL VPNs on the LAN. Peer PressureFirst is Dynamic NAC from InfoExpress. Here???s the idea: Take a small number of PCs or servers on a subnet that already have the DNAC client software installed and make them Enforcers. Enforcers monitor broadcast traffic on the segment to detect and intercept endpoints as they connect to the network. Enforcers use a variety of techniques, such as ARP redirects, to shunt new endpoints to a policy server.

The policy server checks for the presence of DNAC software and runs compliance checks. Non-compliant machines can then be quarantined and/or sent to remediation sites. If the end point doesn???t have the DNAC client software, the enterprise has a variety of policy options: download a full agent, use an on-demand Web-based agent, or restrict the end point???s network access.

DNAC???s clearest benefit is that it doesn???t require 802.1x, nor an upgrade to your switching infrastructure nor the purchase of NAC switches or NAC appliances, all of which can be expensive and complicated. It also helps address the problem of guest workers and contractors outside your administrative domain.

On the downside, Enforcers may be overwhelmed if they have to deal with a large number of non-compliant end points. Enforcers themselves may fall out of compliance and lose Enforcer status, which may result in an unmonitored subnet. InfoExpress says administrators can create persistent Enforcers to continue monitoring even if their own compliance status changes.

SSL VPNs on the InsideThe second idea is to invert an SSL VPN and run it inside the LAN. Vendors such as Aventail, Array Networks and Caymas Systems are playing up the similarities between SSL VPNs and NAC. That???s because SSL VPNs already perform NAC-like functions for remote users: assess the health of the end point and enable policy-based access to applications.By deploying an SSL VPN proxy on the LAN in front of critical applications, you can now run a health check on every device that accesses the applications and provide an additional level of policy-based access. The traffic between the proxy and the end point will also be encrypted, which may be a plus if your users work with sensitive information.

The key drawback here is scalability. Because the SSL VPN is a proxy it may have a hard time scaling to support a large numbers of users and/or a high volume of transactions. This solution may also require a significant effort to ???Webify??? the applications you want to protect.

As you can see, neither of these options are perfect. However, both may serve as NAC starter kits, allowing you to run trials and track end point compliance to corporate policies without breaking the bank or requiring major overhauls to your existing architecture. If you???re sounding out a NAC architecture, these two ideas are worth hearing.